Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Remote Desktop Users
Remote Desktop Users [message #405128] Thu, 04 March 2010 17:07 Go to next message
Jordan  is currently offline Jordan  Norway
Messages: 66
Registered: July 2009
Member
Is it possible to restrict RDP users to a Windows 2008 R2 DC?
By default all Domain Admins are allowed.
Want to just allow some admin users, not all Domain Admins.

Jordan
Re: Remote Desktop Users [message #405406 is a reply to message #405128] Fri, 05 March 2010 03:37 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Jordan,

A domain administrator can revert all your settings. If you don't trust them
don't make them admins. If you have a multidomain forest you can stick them
to there own domain only and don't making them enterprise admins, that's it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Is it possible to restrict RDP users to a Windows 2008 R2 DC?
> By default all Domain Admins are allowed.
> Want to just allow some admin users, not all Domain Admins.
> Jordan
>
Re: Remote Desktop Users [message #405441 is a reply to message #405406] Fri, 05 March 2010 05:10 Go to previous messageGo to next message
Jordan  is currently offline Jordan  Norway
Messages: 66
Registered: July 2009
Member
Meinolf, I'm agree on what you say.

The servers are placed in a Datacenter, with very limited physical
access.

Even if it is not a bulletproof security solution, is there a way to
block or allow selected Domain Admins RDP access or even remove
Domain Admins and only allow specific users?

In the meaning that blocked users can't connect by RDP by "accident",
without tampering with RDP access rights?

Jordan

On Fri, 5 Mar 2010 10:37:12 +0000 (UTC), Meinolf Weber [MVP-DS]
<meiweb@(nospam)gmx.de> wrote:

>Hello Jordan,
>
>A domain administrator can revert all your settings. If you don't trust them
>don't make them admins. If you have a multidomain forest you can stick them
>to there own domain only and don't making them enterprise admins, that's it.
>
>Best regards
>
>Meinolf Weber
>Disclaimer: This posting is provided "AS IS" with no warranties, and confers
>no rights.
>** Please do NOT email, only reply to Newsgroups
>** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> Is it possible to restrict RDP users to a Windows 2008 R2 DC?
>> By default all Domain Admins are allowed.
>> Want to just allow some admin users, not all Domain Admins.
>> Jordan
>>
>
Re: Remote Desktop Users [message #405448 is a reply to message #405441] Fri, 05 March 2010 05:23 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Jordan,

If you remove domain admins group from security groups this can result in
problems, even for yourself. If you like to play around that way, create
a lab and try it. But again another domain admin can revert all this configuration.

This kind of questions is asked multiple times and the only safe answer is:

Don't make them admins.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Meinolf, I'm agree on what you say.
>
> The servers are placed in a Datacenter, with very limited physical
> access.
>
> Even if it is not a bulletproof security solution, is there a way to
> block or allow selected Domain Admins RDP access or even remove
> Domain Admins and only allow specific users?
>
> In the meaning that blocked users can't connect by RDP by "accident",
> without tampering with RDP access rights?
>
> Jordan
>
> On Fri, 5 Mar 2010 10:37:12 +0000 (UTC), Meinolf Weber [MVP-DS]
> <meiweb@(nospam)gmx.de> wrote:
>
>> Hello Jordan,
>>
>> A domain administrator can revert all your settings. If you don't
>> trust them don't make them admins. If you have a multidomain forest
>> you can stick them to there own domain only and don't making them
>> enterprise admins, that's it.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Is it possible to restrict RDP users to a Windows 2008 R2 DC?
>>> By default all Domain Admins are allowed.
>>> Want to just allow some admin users, not all Domain Admins.
>>> Jordan
Re: Remote Desktop Users [message #407469 is a reply to message #405441] Mon, 08 March 2010 10:32 Go to previous message
Revenger  is currently offline Revenger  Croatia
Messages: 34
Registered: January 2010
Member
On Fri, 05 Mar 2010 13:10:25 +0100, Jordan wrote:

> Even if it is not a bulletproof security solution, is there a way to
> block or allow selected Domain Admins RDP access or even remove
> Domain Admins and only allow specific users?
>
> In the meaning that blocked users can't connect by RDP by "accident",
> without tampering with RDP access rights?

I agree with Meinolf on this, you should not make them domain admins if you
suspect they could be tampering with the server in any way.

That said, I believe it can be accomplished:

Log on to the DC...

Start > Run > Gpedit.msc

Computer configuration > Windows settings > Security settings > Local
policies > User rights assignment

Locate the Deny log on through Remote desktop services and add one user at
a time (DONT add Domain admins group, just users you don't want connecting
remotely to your DC!!!).

Test it by adding just one user, and then, if it works, add others as
well...
Previous Topic:Locked Out User
Next Topic:Export user names as a list?
Goto Forum:
  


Current Time: Wed Jan 17 05:25:59 MST 2018

Total time taken to generate the page: 0.03388 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software